Gloops Posted October 19, 2018 ID:1276514 Share Posted October 19, 2018 Hello everybody, After I downloaded a few utilities to manage shortcuts in the contextual menu of files in the explorer (of Windows 10 64 bits 1803), adwCleaner found nothing, but ZhpCleaner noticed a PUP.Optional.Y2Go, on my online directory by Microsoft's OneDrive -in fact, more precisely, on its local mirror. What is strange is that it is shown in the Directory category, which leads to think that perhaps ZhpCleaner wants to completely remove my online storage mirror ? Or is it a file it wants to remove there, and the display is a little misleading ? Sorry the forum aims the removal of malware, and I come about a possible false positive, or misinterpretation of the display. Link to post Share on other sites More sharing options...
nasdaq Posted October 20, 2018 ID:1276652 Share Posted October 20, 2018 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Download the version of this tool for your operating system.Farbar Recovery Scan Tool (64 bit)Farbar Recovery Scan Tool (32 bit) and save it to a folder on your computer's Desktop. Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. How to attach a file to your reply: In the Reply section in the bottom of the topic Click the "more reply Options" button. Attach the file. Select the "Choose a File" navigate to the location of the File.Click the file you wish to Attach.Click Attach this file.Click the Add reply button. === Please post the logs for my review. Wait for further instructions Link to post Share on other sites More sharing options...
Gloops Posted October 20, 2018 Author ID:1276657 Share Posted October 20, 2018 Oh, as I understand it is less obvious than it appears ? Here they are. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
nasdaq Posted October 20, 2018 ID:1276710 Share Posted October 20, 2018 Hi, Your logs are clean. This extension is unknown. Unless you installed it I suggest you remove it. FF Extension: (irutabs) - C:\Users\canev\AppData\Roaming\Mozilla\Firefox\Profiles\0rv0bxb7.default-1531777023844\Extensions\{ecf0db0e-ed33-46ad-a5ed-4749d20cd8a5}.xpi If you keep it I would like to know where it's from and what it does. Is the problem persisting? Link to post Share on other sites More sharing options...
Gloops Posted October 20, 2018 Author ID:1276715 Share Posted October 20, 2018 Do I uninstall it by removing it from the directory ? Is there any way to know the name of the extension ? Link to post Share on other sites More sharing options...
Gloops Posted October 20, 2018 Author ID:1276717 Share Posted October 20, 2018 Got it ! I try to install it, in the confirmation dialog box, it gives the name. It is "Undo / Duplicate Tab" : https://addons.mozilla.org/fr/firefox/addon/undo-duplicate-tab/?src=search Do you think it is dangerous ? Link to post Share on other sites More sharing options...
Gloops Posted October 20, 2018 Author ID:1276725 Share Posted October 20, 2018 ZhpCleaner finds nothing more. I presume it was a false positive, and ZhpCleaner has already been updated ? As I remember I still have to launch ZhpDiag, if it finds something I come back. Link to post Share on other sites More sharing options...
Gloops Posted October 20, 2018 Author ID:1276731 Share Posted October 20, 2018 Apart from a SmartScreen's alert that wanted to block it, ZhpDiag shows a SUP.Empty.CLSID, that points out that I should find a good documentation about the file types on Windows 10 and ContextMenuHandlers. I do not remember where to find ZhpDiag's logs -even if probably they will not be needed this time. I presume that usbfix.xyz is one of your domains ? Link to post Share on other sites More sharing options...
nasdaq Posted October 21, 2018 ID:1276829 Share Posted October 21, 2018 18 hours ago, Gloops said: Hi, Apart from a SmartScreen's alert that wanted to block it If you are the only user of this computer you can disable the SmartScreen alert. https://www.howtogeek.com/123938/htg-explains-how-the-smartscreen-filter-works-in-windows-8/ It's your call. === I do not know what this is. Only reference in a Chrome search was your topic. FF Extension: (irutabs) - C:\Users\canev\AppData\Roaming\Mozilla\Firefox\Profiles\0rv0bxb7.default-1531777023844\Extensions\{ecf0db0e-ed33-46ad-a5ed-4749d20cd8a5}.xpi === I presume that usbfix.xyz is one of your domains ? No. Where do you see that? Link to post Share on other sites More sharing options...
Gloops Posted October 21, 2018 Author ID:1276841 Share Posted October 21, 2018 50 minutes ago, nasdaq said: Quote Apart from a SmartScreen's alert that wanted to block it If you are the only user of this computer you can disable the SmartScreen alert. Hi, Or I can also ignore it ;) 51 minutes ago, nasdaq said: I do not know what this is. Only reference in a Chrome search was your topic. Quote FF Extension: (irutabs) - C:\Users\canev\AppData\Roaming\Mozilla\Firefox\Profiles\0rv0bxb7.default-1531777023844\Extensions\{ecf0db0e-ed33-46ad-a5ed-4749d20cd8a5}.xpi In fact, no, that was the local mirror. The original address was : https://addons.mozilla.org/fr/firefox/addon/undo-duplicate-tab/?src=search So, an add-on for Firefox that is officially registered ? 53 minutes ago, nasdaq said: Quote I presume that usbfix.xyz is one of your domains ? No. Where do you see that? At the end of each analysis by zhpCleaner or zhpDiag : Link to post Share on other sites More sharing options...
nasdaq Posted October 22, 2018 ID:1277010 Share Posted October 22, 2018 Hi, FF Extension: (irutabs) - C:\Users\canev\AppData\Roaming\Mozilla\Firefox\Profiles\0rv0bxb7.default-1531777023844\Extensions\{ecf0db0e-ed33-46ad-a5ed-4749d20cd8a5}.xpi I checked your link and I'm not impressed. Keep it at your owned risks. === At the end of each analysis by zhpCleaner or zhpDiag : E-set is blocking the address. If you found it safe add the domain to E-set safe list. How to:https://support.eset.com/kb2960/?locale=en_US&viewlocale=en_US Link to post Share on other sites More sharing options...
Gloops Posted October 22, 2018 Author ID:1277096 Share Posted October 22, 2018 Hi, So, I presume I can close duplicate tabs manually. I tended to think that usbfix.xyz was sure because it was called by zhpCleaner or zhpDiag. Of course, if you have different information, that is another story. So, about the main topic we said it was a false positive ? Link to post Share on other sites More sharing options...
nasdaq Posted October 23, 2018 ID:1277217 Share Posted October 23, 2018 Hi, So, I presume I can close duplicate tabs manually. To be safe I would add the domain in the E-set list. Your call. === Any other issues? Link to post Share on other sites More sharing options...
Gloops Posted October 23, 2018 Author ID:1277220 Share Posted October 23, 2018 Hi, So, usbfix.xyz in e-set's white list, I ignore the alert about PUP.Optional.Y2Go, and, just in case, I avoid the "Undo / Duplicate tab" addon. Well, as you say that my logs are clean, everything is OK, thank you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 7, 2018 Root Admin ID:1285434 Share Posted December 7, 2018 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts